Confidential compute processing
Conversion workloads run inside the SecretVM-ready backend environment.
Security architecture
SecretConvert is designed for SecretVM deployment behind Traefik. Conversion tools, temporary job folders, secrets, metadata stripping, and signed download validation stay inside the backend workload environment.
Public pages are still visible to users. The confidential compute model is for backend processing, temporary files, application secrets, and sensitive workloads.
Conversion workloads run inside the SecretVM-ready backend environment.
LibreOffice, Poppler, qpdf, Ghostscript, ImageMagick, and ExifTool execute locally.
Files are written only to isolated UUID job folders under a non-public temp path.
ExifTool can remove embedded metadata before download when enabled.
The API returns relative, signed, expiring download URLs and never exposes public upload folders.
Inputs and work files are removed after conversion; outputs expire with the session.
Powered by SecretVM and prepared for port 3000 behind Traefik in a confidential compute deployment.
Workflow diagram
The flow is intentionally short. Less movement means fewer places for sensitive documents to leak.
The client sends selected files to the local SecretConvert deployment. Original filenames are not used for server storage.
The API creates a random UUID job folder and writes random safe filenames under a non-public temporary path.
Open-source tools execute inside the container: LibreOffice, Poppler, qpdf, Ghostscript, ImageMagick, and ExifTool.
Outputs are exposed only through signed, expiring job URLs. Upload inputs are removed after conversion.
A cleanup routine removes job folders older than the configured ten-minute retention window.
The backend accepts uploads through API routes, stores them in a private temporary job directory, converts them with local binaries, optionally strips metadata, and signs download URLs with an HMAC secret. Jobs expire according to FILE_TTL_MINUTES, with a default of ten minutes.
SecretVM protects backend processing, temporary files, secrets, and workloads from the infrastructure boundary it is designed to defend. It does not make public files private again, hide documents shared elsewhere, or prevent a user from downloading and redistributing converted files.